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I. INTRODUCTION 

Public-key cryptosystems offer a degree of flexibility not available 
with conventional (private-key) systems. 1,2 In particular, the key re- 
quired for decryption in a public-key system can be changed at will, 
even in the middle of a message. This makes the task of the eaves- 
dropper very difficult indeed. A frequently cited disadvantage of pub- 
he-key systems is their relative slowness (typically a few kilobit/s) 
caused by the large amount of number-crunching they require. 3,4 This 
has led to the development of hybrid cryptosystems in which a key, 
exchanged via a slow public-key system, is subsequently used in a fast 
conventional system, such as the Data Encryption Standard (des). 5 In 
this paper we present a fast algorithm for executing the knapsack 
cipher (a public-key cryptosystem). 6 When implemented with ttl 
integrated circuitry, this algorithm should permit data rates in the 
neighborhood of 10 Mbit/s. This speed is sufficient to provide security 
for a wide range of voice, data, and narrowband video traffic without 
the need for a hybrid cryptosystem. 

Section II presents an elementary example of the knapsack cipher 
to show how it operates. In Section III we describe the fast algorithm, 
and in Section IV we discuss a more sophisticated knapsack cipher. 

II. AN EXAMPLE OF THE KNAPSACK CIPHER 

A very simple (and insecure) knapsack cipher begins with an "easy" 
knapsack vector generated by a party who wishes to receive encrypted 
data [eq. (29) of Ref. 6], 
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E - (1, 2, 4, 8, 17, 35, 68, 142). (1) 

The eight components of E form a super-increasing sequence: Each 
term is larger than the sum of all those preceding it. Let the data to be 
encrypted be represented as a vector with eight binary components, 

D= (1,0,0, 1,0, 1, 1, 1). (2) 

To encrypt D using E, form the dot product, 

S E = ED = 254. (3) 

The number Se is an encrypted form of D. 

The super-increasing property of E guarantees that D can be re- 
covered from Se by subtracting successive components of E (beginning 
with the largest) from S E and keeping the residue. If a component of 
E is less than or equal to the residue at any stage in the subtraction, 
the corresponding component of D is 1. If a component of E is larger 
than the residue, the corresponding D component is and we try the 
next (smaller) component of E. This process is illustrated below for 
S E = 254 [eq. (3)], 




1<-1<-1<^ 9<-9<-> 4 
±L =2 ^4 \z8-l7 \ -35 
X X V_l X V— 9 

D= (1 1 1 1 1). 

Of course, E cannot be used for secure encryption, because if E were 
obtained by an eavesdropper he could use it to decrypt any transmitted 
message. The knapsack cipher provides security by transforming E 
into a "hard" knapsack vector H (the public key), which can be used 
for encryption, but which is useless for decryption. To generate this 
transformation, the receiver chooses two secret integers M and Wsuch 
that: (i) Mis larger than the sum of all the components in E, and (ii) 
W and M are relatively prime. (This condition means that W is 
invertible modulo M: W' 1 • W= 1 mod M.) Following Ref. 6, we choose 
M = 291 and W= 176 (which implies W 1 = 167). H is generated from 
Eby 

Hj= W-Ej mod M, (4) 

yielding 

H = (176, 61, 122, 244, 82, 49, 37, 257). 

In the ideal case H looks like a random sequence; the super-increasing 
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structure of the original E is completely obliterated. H, the public key, 
is sent to the transmitter and need not be kept secret. 
To encrypt D using H, form the dot product as before, 

S„ = H.D = 763. (5) 

S H is the encrypted data. If the number of components in H is large, 
say 100 or more, then an eavesdropper, even though he has H and S H , 
cannot recover D in a reasonable time. The legitimate receiver, how- 
ever, can recover D easily by using the inverse transformation, 

S B = Sb-W' 1 mod M. (6) 

That is, by using his secret M and W~\ the receiver can convert S H 
into the number S E [eq. (3)], the same number that would have been 
obtained if D had been encrypted with E instead of H. Once he has S E , 
the receiver simply subtracts off successive components of E to recover 
D. 

III. A FAST DECRYPTION ALGORITHM 

The most time-consuming step of the knapsack cipher is the modular 
multiplication of eq. (6). In practice, the quantities S H , W~\ and M 
might be 100 to 200 bits long, making computation of S E very slow. 
The calculation can be expedited by considering the /i-bit binary 
expansion of Sh, 

S»=6„- 1 .2"- 1 +.-.+6o-2°. (7) 

Substituting eq. (7) into eq. (6), we have 
S E ^[b n -A2 n - l W- 1 modM) 

+ . . • + 6o(2° W~ x mod M)]mod M. (8) 

Each term in the square brackets is the product of a binary digit (0 or 
1) and a fixed quantity (in parentheses), which can be computed ahead 
of time and stored in a memory. Evaluation of S E thus reduces to a 
sequence of table lookups and accumulations, one lookup for each bit 
in S H . After all the bits in S H have been processed, the final reduction 
mod M is accomplished by an easy long division. [The division is 
"easy" because each term in eq. (8) can be no bigger than M, so the 
final sum can be no bigger than nM; division by M can therefore be 
accomplished with only approximately log 2 n substract-and-shift oper- 
ations in binary arithmetic] 

Table I shows the contents of the lookup table required for decryp- 
tion of the example in Section II, along with the binary representation 
of S H = 763. The value of the sum within the square brackets of eq. 
(8) is seen to be 1127, which is equivalent to 254 in mod 291 arithmetic, 
as required. 
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Table I — Lookup table 
for decryption of the 
example in Section II 



2*. 167 
mod 291 



b h 
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8 


266 
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133 
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212 
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106 


1 


4 


53 


1 
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172 
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86 





1 


43 


1 





167 


1 



Figure 1 shows a block diagram of the decryption process. The basic 
steps of lookup, accumulation, reduction mod M and successive sub- 
traction are pipelined, and within each step most of the processing can 
be performed on all bits in parallel. This architecture results in very 
fast operation, the speed limitation being either the memory access 
time or the accumulator add time, whichever is greater. With Schottky 
ttl and carry-lookahead addition, these times are both in the neigh- 
borhood of 50 ns, so a throughput rate of 10 Mbit/s is reasonable. 

Implementation of the decryption algorithm using very large scale 
integration appears attractive. Most of the circuitry is simply a large 
lookup table, as shown at the top of Fig. 1. Its capacity is determined 
primarily by the number of components in E and the allowed range 
(number of possible values) for each component of E. We can achieve 
reasonable security by using 100 and 2 100 , respectively, for these two 
parameters; this leads to a value for the modulus M in the neighbor- 
hood of 2 200 . Since each component of H is less than M, Sh [eq. (5)] 
will be less than 2 207 . The lookup table must therefore contain 207 
words, each 200 bits long, implying a memory size of approximately 41 
kilobits. Additional memory (~15 kilobits) is required to store the 
components of E. Thus, approximately 56 kilobits of memory and 
some simple arithmetic logic to perform the steps of accumulation, 
long division, and successive subtraction are adequate to implement 
the decryption process. This level of complexity is within the range of 
current vlsi technology. 7,8 

Finally, we remark that a straightforward implementation of Fig. 1 
may not be the best approach; several modifications of the basic 
decryption algorithm must be investigated. For example, the lookup 
table can be eliminated by calculating the numbers 2*« W~ l mod M 
one-by-one as they are needed for each incoming bit of Sh. Starting 
with W, successive numbers can be generated by a simple left shift 
(and subtraction of M if necessary). 
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IV. ITERATED KNAPSACK TRANSFORMATIONS 

The security of the knapsack cipher is enhanced if iterated (multiple) 
knapsack transformations are employed. 9 For example, the "hard" 
vector H [eq. (4)] can be kept secret and used to generate a "harder" 
public vector H', 

H'j= W • Hj mod M\ (9) 

Data can be encrypted with H' in the usual fashion, 

S H - = H'-D. (10) 

If M' is chosen to be greater than the sum of all the components of H, 
then data encrypted using H' may be decrypted using two successive 
inverse transformations having the form of eq. (6). The cost of this 
double-iteration technique in terms of the bandwidth efficiency of the 
cipher is modest. For a 100-component knapsack, the modulus M'will 
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Fig. 1 — The fast knapsack decryption algorithm. (Wide arrows signify parallel data 
transfer.) Pipeline architecture and parallel processing contribute to a high throughput 
rate. Hardware implementation would require approximately 56 kilobits of memory and 
a small amount of arithmetic logic. 
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be roughly 100 times bigger than M; thus Sh- will require only about 
seven more bits than Sh would have required. 

We illustrate the double-iteration technique by continuing with the 
example of Section II. Let M' = 2001 and W = 1984, giving ( W)" 1 = 
1177. From eq. (9) we have 

H' = (1010, 964, 1928, 1855, 607, 1168, 1372, 1634). (11) 

Encrypting D [eq. (2)] with H' yields Sw = 7039. 
Decryption requires two inverse transformations, 

S E ■ S H - W~ x mod M 

= [S H ' • (WT 1 mod M'] • W- 1 mod M 

a [7039- 1177 mod 2001] • 167 mod 291 

■ 763-167 mod 291 

= 254. (12) 

The cascaded inverse transformations in eq. (12) can be executed in 
tandem using the algorithm of Section III. Thus, the decryption 
process will entail a longer total delay (compared with the single- 
iteration case), but the net throughput rate will be essentially un- 
changed. 

We mentioned earlier that straightforward use of the multiple iter- 
ation technique reduces the bandwidth efficiency of the cipher. It is 
possible, however, that for a given level of security, multiple interations 
may actually be more efficient than a single knapsack transformation. 
This is because the enhanced security associated with repeated trans- 
formations might permit a smaller range for the components of E, and 
hence smaller values for the moduli M, M', etc. The consequent 
reduction in the encrypted block length could offset the seven-bit 
increase normally associated with each iteration. 

V. CONCLUSIONS 

The existence of a fast algorithm for decryption of the knapsack 
cipher means that the advantages of public-key cryptosystems can be 
realized even in high-speed applications. Full integration of the de- 
cryption process onto a single chip appears feasible with current VLSI 
technology. The relationships among cipher security, bandwidth effi- 
ciency, and number of iterations need further investigation. 
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